Apache exploit targets OpenBSD

Contributed by Dengue on 2002-06-22 from the apply-errata-folks dept.

"GOBBLES Security a non-profit security organization just released source code to exploit Apache on OpenBSD. Its interesting to read the source and see all the comments made by this group to theo. http://online.securityfocus.com/news/493 "

Patch your systems folks.

(Comments are closed)

Comments

By Vincent Foley () on 2002-06-22 17:08

Reading from the comments, these guys seem highly immature.
Comments
1. By Vincent Foley () on 2002-06-22 17:08
  
  s/reading/judging
  Comments
  1. By earx () on 2002-06-22 18:09
    
    what is the mailing secure-announce for ?
    no mail for this exploit !
    
    Comments
    
    By Paul () on 2002-06-22 21:58
    
    No mail for the exploit.
    
    No one-liner to fix the bug. (i.e. "pkg_add fix_my_damn_hole_before_it_is_exploited") -- part of making systems secure is making security easy. I run openbsd because I *don't want* to spend a lot of time thinking about security.
    
    No announcement on the front page of openbsd.org.
    
    openbsd.org still claims "Five years without a remote hole in the default install!" Is there something I misunderstand about what "remote hole" means?
    
    I'm losing faith here.
    
    Comments
    
    By Not Really Anonymous () on 2002-06-22 22:17
    
    I wouldn't lose faith. Its not about the OpenBSD team making sure that your server is secure, its about you making sure that your server is secure. No matter what operating system you use (*I prefer OpenBSD), you still need to lock it down and use other technologies to insure security.
    
    The whole remote hole statement, I wouldn't get to bent on that, the fact is, the OpenBSD team has rocked, spending a lot of time and effort into this project.
    
    By earx () on 2002-06-22 23:09
    
    apache is not in the default install
    but why they didn't inform us of the hole ?
    i didn"t read bugtraq and i wait for mail
    of the security-announce mailing !
    
    Comments
    
    By Cabal () on 2002-06-24 02:11
    
    Apache most definitely is in the default install.
    
    Comments
    
    By Rudy () on 2002-06-24 08:48
    
    Sure Apache IS in the default install, but is is NOT enabled! So the default install is safe!
    
    By mirabile () on 2002-06-23 10:07 irc.openprojects.net:6667 #OpenBSD
    
    remote _root_ exploit.
    
    A server crash is no root exploit.
    A httpd exploit is no root exploit, but a wwwrun exploit.
    wwwrun != uid0
    
    Comments
    
    By it is () on 2002-06-23 10:18
    
    it is a remote root exploit
    http://online.securityfocus.com/attachment/2002-06-20/apache-scalp.c
    
    Comments
    
    By gwyllion () on 2002-06-23 10:38
    
    You call this root?
    uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
    
    http://mak.freeshell.org/exploited.txt
    http://www.anuzis.net/apachescalp.txt
    
    Comments
    
    By anonymous () on 2002-06-23 11:12
    
    I don't know how it is on OpenBSD but at least on linux the main httpd process is running as root and only its children are run as nobody.
    
    Comments
    
    By gwyllion () on 2002-06-23 12:28
    
    The clildren are exploited. So the attacked doesn't gain remote root.
    
    Comments
    
    By Anonymous Coward () on 2002-06-23 23:33
    
    So even on OpenBSD apache is exploited, you don't get root unless you use some other ( local ) exploit ? How was monkey.org (DuSong files) compromised then ?
    
    Comments
    
    By Anonymous Coward () on 2002-06-24 00:29
    
    Yes you only get a shell with nobody, I tried this exploit against my 3.0 with apache 1.3.19 box and it didn't work or drop to a shell. So I have yet to prove this exploit.
    
    Comments
    
    By Not Really Anonymous () on 2002-06-24 13:50
    
    I had the same problem executing the exploit on my boxes with the same version OpenBSD and Apache.
    
    Comments
    
    By Anonymous Coward () on 2002-06-24 08:46
    
    If the default offsets don't work for you try brute force.
    
    Comments
    
    By Anonymous Coward () on 2002-06-24 18:06
    
    Did do brute force.. Still no go!
    
    By Someone () on 2002-06-25 01:07
    
    Good point. Dug Song claimed that monkey.org was compromised thru backdoored EPIC, gaining root thru a screened su. Could it be that there are 0-day sploits in the kernel like the comments say ?
    And why didnt Monkey.org report that Fragroute(r) and Dsniff was backdoored until he was confronted on Bugtraq ? The arrogance...
    
    Comments
    
    By Anonymous Coward () on 2002-06-25 19:50
    
    Irssi, NOT Epic!
    
    By Anonymous Coward () on 2002-06-24 20:39
    
    How was monkey.org (DuSong files) compromised then
    why not read and find your answers? the compromise of monkey.org had nothing to do with apache.
    
    By Anonymous Coward () on 2002-06-23 19:04
    
    Yes, and the main apache process *does not listen to the outside world* except for a fraction of a second at the beginning of the apache lifecycle. It just makes the connection to port 80, then stops listening and spawns children to take over that task and watches over them. So the attacker would have to be incredibly lucky to nail apache at the exact fraction of a second when it's starting...
    
    By Anonymous Coward () on 2002-06-24 14:24
    
    As commented elsewhere, Apache is NOT enabled by default.
    
    By pravus () abuse@aol.com on 2002-06-24 00:03 mailto:abuse@aol.com
    
    sounds like you never had faith to begin with...
    
    why is there no announcement on the front page? a better question would be: "why should there be?"
    
    really, if you are a server admin who doesn't frequent security bulletin sites, you aren't really an admin. and if you want to parade around as a simple "user" of the OS, that's fine. just don't expect people to care about your system being insecure.
    
    the software you run is your choice. if you don't agree with the vendor's support policies, move to a different platform. it's just that simple.
    
    and the remote hole statment holds true. i still can't understand why that statement causes so much confusion. take the OpenBSD install... select the DEFAULT options... what you get is the *gasp* DEFAULT INSTALL. and is apache enabled? *gasp* NO! *gasp*
    
    is it clear now?
2. By RC () on 2002-06-22 19:44
  
  If you hadn't noticed, they've admitted that it has been used to compromise servers on at least 3 occasions. Monkey.org being one of them. You've got to admit, even if you dislike the laws, these are the few that deserve to be put away for a couple years.
By webmaster () on 2002-06-22 21:38 localhost
```
[Sat Jun 22 16:23:47 2002] [notice] child pid 23400 exit signal Segmentation fault (11)
[Sat Jun 22 16:23:50 2002] [notice] child pid 22283 exit signal Segmentation fault (11)
[Sat Jun 22 16:23:54 2002] [notice] child pid 20940 exit signal Segmentation fault (11)
[Sat Jun 22 16:23:57 2002] [notice] child pid 28129 exit signal Segmentation fault (11)
[Sat Jun 22 16:24:00 2002] [notice] child pid 10595 exit signal Segmentation fault (11)
[Sat Jun 22 16:24:03 2002] [notice] child pid 9959 exit signal Segmentation fault (11)
[Sat Jun 22 16:24:06 2002] [notice] child pid 13345 exit signal Segmentation fault (11)
```
Comments
1. By mak () root@bofhnet.org on 2002-06-22 22:22 mailto:root@bofhnet.org
  
  Those with snort might find this useful. >:)
  
  http://www.snort.org/article.html?id=108
  Comments
  1. By Mike () on 2002-06-23 03:08
    
    I ran the apache scalp.c code against 3 machines one patched and two unpatched and it didn't seem to "spawn a shell" against any of them.
    
    Can anyone else confirm that the apache scalp code at packetstormsecurity.com is functional?
    
    Comments
    
    By mak () root@bofhnet.org on 2002-06-23 03:55 mailto:root@bofhnet.org
    
    Tested on OpenBSD 3.0 with apache 1.3.20
    
    http://mak.freeshell.org/exploited.txt
    
    Comments
    
    By Anonymous Coward () on 2002-06-24 21:59
    
    What is the ...
    
    "0day OpenBSD local kernel exploit"
    
    ?
    
    Comments
    
    By Anonymous Coward () on 2002-06-24 23:16
    
    Find_it_by_yourself.c
    
    By Bilou () bilou@sina.com on 2002-08-23 15:15 mailto:bilou@sina.com
    
    Hello,but how can I get the program "apache-scalp "?
    
    By Anonymous Coward () on 2002-06-23 09:10
    
    apache-scalp.c assumes some 4 offsets to own 4 "default" flavours of OpenBSD, thus if you have Apache+PHP or anything nondefault - attackers need to rebuild your system to resolve your specific offset (or hit blindly like in example with many dying child processes)
By Anonymous Coward () on 2002-06-22 23:39

This whole "root for low ports" is the most brain-dead idiotic "security" measure that has ever existed on Unix. If all users were allowed to bind to "privledged" ports, this would be a remote user compromise, not a remote root 'sploit. I've been saying this for years: Making processes such as bind, httpd, and other things which are essentially just serving information run at the highest privledge level is idiotic. Whenever I bring this up on the OpenBSD list I get flamed. However no one seems able to come up with a reason why that "privledged port" thing still exists. It made some sense back a long time ago but it no longer has any security purpose and it is the fundamental cause of most exploits these days.
Comments
1. By Anonymous Coward () on 2002-06-23 04:15
  
  Run Apache on 8080, and use pf to redirect. Voila .. root nolonger necessary.
2. By Michael Anuzis () michael_anuzis@hotmail.com on 2002-06-23 15:27 http://www.anuzis.net
  
  FYI:
  
  The exploit is not remote root, it effects apache's children that either run as "nobody" or "www"
  See: http://www.anuzis.net/apachescalp.txt
  
  p.s. Running it on port 8080 with pf redirection would make ~no difference in the result of the compromise.
  Comments
  1. By Anonymous Coward () on 2002-06-23 23:11
    
    well it would make a difference. if you ran apache as nobody or wwwrun on 8080.. it couldnt do anything bad.
    
    Comments
    
    By Anonymous Coward () on 2002-06-24 00:31
    
    It will still drop a shell prompt when exploited and have the prems of your httpd. The situation has not changed by running on port 8080
3. By Anonymous Coward () on 2002-06-23 19:16
  
  Oh, you mean like in Linux, where you can set a low-port-bind flag on a process *instead* of running it as root.
4. By Anonymous Coward () on 2002-06-24 18:19
  
  "Root for low ports" was never intended as a security measure. It was intended to enforce local policy so that your average moron user couldn't start telnetd even if he felt like it. It fits very well with the traditional Unix security model--it's just that the traditional Unix security model isn't very good in a hostile environment.
  
  BTW, the "fundamental cause of most exploits these days" are stupid programmers. If all software was a well written as Apache, Postfix, and BIND 9, we wouldn't need to consider changes to the traditional Unix security model.
5. By Ben Johnson () ben-openbsd@remove.johnsonworld.this.com on 2002-06-24 19:14 www.johnsonworld.com
  
  I concur!
  
  Ther *was* some logic in having root hold sway over the lower ports - an unix server that could launch an attack would by default have to be logged in a root or comprimised. This limited the amount of computers that could lauch an attack.
  
  Now that everybody has a Windows box, and a DIY Unix is easy - every computer can launch an attack.
  
  The compeling idea that you should only give a process the bare minimum resources to function should hold sway over the tradition of root for low ports. If it's too hard to masage Apache et al into not using root - then there should be another process that monitors them for 'appropriate' behaviour.Example: any spawn of Apache should be killed if it attempts to spawn a shell.
  
  But what do I know - I just buy the CDs and paste the stickers.
  Comments
  1. By Michael Anuzis () on 2002-06-28 14:08 http://www.anuzis.net
    
    http://www.citi.umich.edu/u/provos/systrace/
By Anonymous Coward () on 2002-06-23 13:48

I think Gobbles is Theo
Comments
1. By Not Really Anonymous () on 2002-06-23 02:41
  
  Split personality?
By gnudutch () on 2002-06-23 09:15

Does anybody have the quick fix???
Comments
1. By gwyllion () on 2002-06-23 10:35
  
  The obvious place is http://www.openbsd.org/errata.html
2. By Anonymous Coward () on 2002-06-23 23:12
  
  update to apache 2.0.39/1.3.26
3. By pravus () on 2002-06-24 16:09
  
  the fix for you is to dig out your DOS 6.2 diskettes and re-install.
By BokLM () boklm@mars-attacks.org on 2002-06-23 18:44 http://www.mars-attacks.org

Isn't it a remote holl in the default install ?
Why do they keep this on the website !!
If they consider that apache is not a part of the default install (it is installed but not running), that's stupid and most OS could say the same...

OpenBSD is a good and secure OS, but I think that saying "no remote hole in the default install" is not true. I think it would be good to remove this from the website...
Comments
1. By submicron () on 2002-06-23 19:12
  
  Get over yourself. Apache comes with the distribution but is not installed and running by default for exactly this reason. OpenBSD is a very svelte default installation (part of the appeal incidentally) and moronic things like a webserver running on it straight out of the box just aren't done. So no, this is not an example of a remote exploit in the default install and no, the website's slogan should not be appended.
  Comments
  1. By Bill Gates () on 2002-06-24 16:43
    
    My MS-DOS is "Fifteen+ years without a remote hole in the default install." That's why it was the world's best-selling software in the past.
    
    Remember, "MS-DOS is simply the best secure OS in the world."
2. By Anonymous Coward () on 2002-06-23 19:37
  
  Few OSs can say they are secure from a remote
  exploit on a default install. VERY few.;; only one;;
  Stupid is having to go through and turn off a bunch of
  services before you feel safe.
  --
  Smart is an OS that lets the admin decide what to run.
  Why is this so hard to understand?
  If the service is not on, the user is safe.
3. By gwyllion () on 2002-06-23 23:50
  
  Gobbles has released a newer version of there exploit http://online.securityfocus.com/attachment/2002-06-23/apache-nosejob.c
  Comments
  1. By Anonymous Coward () on 2002-06-25 01:23
    
    This Gobbles is a immature little jerk. Patch your crap like your suppose to.
    
    end of discussion
4. By Not Really Anonymous () on 2002-06-24 02:01
  
  Who really cares about that one statement?
  
  I don't know anyone who would only use a secure OS as their only means of making sure their information is secure.
  
  If you do care about that statement, why? Does the OS only depend on this statement?
  
  Also, I could understand if OpenBSD was a commercial product, because then they would be able to use that "statement" to market themselves, but they are not.
  
  Unlike Oracles claims that their database software is "unbreakable", why don't people go after that?
By Anonymous Coward () on 2002-06-24 14:40

Just a quick note for those who are still in doubt if the exploit is real or not: exploit is real and it works!

I happened to leave on a business trip for a week exactly on the same date as the exploit was released. I could not patch the apache running on our company's server until after 4 days later. Guess what? When I came back and looked over the logs I could see clearly that our server was broken into using that Gobbles exploit. No major harm was done, since www user is not that powerful on my server, but database that is normally accessed via web interface, was screwed up badly - I had to restore it from a week old backup.

Morale:
1. Patch your systems as quickly as possible;
2. Backup! Backup! Backup!

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]